PS-07 External Personnel Security

a. Establish personnel security requirements, including security roles and responsibilities for external providers;

b. Require external providers to comply with personnel security policies and procedures established by the organization;

c. Document personnel security requirements;

d. Require external providers to notify ps-07_odp.01 of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ps-07_odp.02 ; and

e. Monitor provider compliance with personnel security requirements.

Parameter ID Definition
ps-07_odp.01 personnel or roles
ps-07_odp.02 time period



External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

References 2

Related controls 12